- 13 minutes to read
Azure Active Directory (Azure AD) self-service password reset (SSPR) lets users reset their passwords in the cloud.
If you have problems with SSPR, the following troubleshooting steps and common errors may help. You can also watch this short video on the How to resolve the six most common SSPR end-user error messages.
If you can't find the answer to your problem, our support teams are always available to assist you further.
SSPR configuration in the Azure portal
If you have problems seeing or configuring SSPR options in the Azure portal, review the following troubleshooting steps:
I don't see the Password reset section under Azure AD in the Azure portal.
You won't see if Password reset menu option if you don't have an Azure AD license assigned to the administrator performing the operation.
To assign a license to the administrator account in question, follow the steps to Assign, verify, and resolve problems with licenses.
I don't see a particular configuration option.
Many elements of the UI are hidden until they're needed. Make sure the option is enabled before you look for the specific configuration options.
I don't see the On-premises integration tab.
On-premises password writeback is only visible if you've downloaded Azure AD Connect and have configured the feature.
For more information, see Getting started with Azure AD Connect.
If you have problems with SSPR reporting in the Azure portal, review the following troubleshooting steps:
I see an authentication method that I have disabled in the Add method option in combined registration.
The combined registration takes into account three policies to determine what methods are shown in Add method:
If you disable app notifications in SSPR but enable it in MFA policy, that option appears in combined registration. For another example, if a user disables Office phone in SSPR, it is still displayed as an option if the user has the Phone/Office phone property set.
I don't see any password management activity types in the Self-Service Password Management audit event category.
This can happen if you don't have an Azure AD license assigned to the administrator performing the operation.
To assign a license to the administrator account in question, follow the steps to Assign, verify, and resolve problems with licenses.
User registrations show multiple times.
When a user registers, we currently log each individual piece of data that's registered as a separate event.
If you want to aggregate this data and have greater flexibility in how you can view it, you can download the report and open the data as a pivot table in Excel.
SSPR registration portal
If your users have problems registering for SSPR, review the following troubleshooting steps:
The directory isn't enabled for password reset. The user may see an error that reports, "Your administrator has not enabled you to use this feature."
You can enable SSPR for all users, no users, or for selected groups of users. Only one Azure AD group can currently be enabled for SSPR using the Azure portal. As part of a wider deployment of SSPR, nested groups are supported. Make sure that the users in the group(s) you choose have the appropriate licenses assigned.
In the Azure portal, change the Self-service password reset enabled configuration to Selected or All and then select Save.
The user doesn't have an Azure AD license assigned. The user may see an error that reports, "Your administrator has not enabled you to use this feature."
Only one Azure AD group can currently be enabled for SSPR using the Azure portal. As part of a wider deployment of SSPR, nested groups are supported. Make sure that the users in the group(s) you choose have the appropriate licenses assigned. Review the previous troubleshooting step to enable SSPR as required.
Also review troubleshooting steps to make sure that the administrator performing the configuration options has a license assigned. To assign a license to the administrator account in question, follow the steps to Assign, verify, and resolve problems with licenses.
There's an error processing the request.
Generic SSPR registration errors can be caused by many issues, but generally this error is caused by either a service outage or a configuration issue. If you continue to see this generic error when you retry the SSPR registration process, contact Microsoft support for additional assistance.
If you or your users have problems using SSPR, review the following troubleshooting scenarios and resolution steps:
|The directory isn't enabled for password reset.||In the Azure portal, change the Self-service password reset enabled configuration to Selected or All and then select Save.|
|The user doesn't have an Azure AD license assigned.||This can happen if you don't have an Azure AD license assigned to the desired user. To assign a license to the administrator account in question, follow the steps to Assign, verify, and resolve problems with licenses.|
|The directory is enabled for password reset, but the user has missing or malformed authentication information.||Make sure that user has properly formed contact data on file in the directory. For more information, see Data used by Azure AD self-service password reset.|
|The directory is enabled for password reset, but the user has only one piece of contact data on file when the policy is set to require two verification methods.||Make sure that the user has at least two properly configured contact methods. An example is having both a mobile phone number and an office phone number.|
|The directory is enabled for password reset and the user is properly configured, but the user is unable to be contacted.||This can be the result of a temporary service error or if there's incorrect contact data that we can't properly detect. |
If the user waits 10 seconds, a link is displayed to "Try again" and "Contact your administrator". If the user selects "Try again," it retries the call. If the user selects "Contact your administrator," it sends a form email to the administrators requesting a password reset to be performed for that user account.
|The user never receives the password reset SMS or phone call.||This can be the result of a malformed phone number in the directory. Make sure the phone number is in the format "+1 4251234567". |
Password reset doesn't support extensions, even if you specify one in the directory. The extensions are stripped before the call is made. Use a number without an extension, or integrate the extension into the phone number in your private branch exchange (PBX).
|The user never receives the password reset email.||The most common cause for this problem is that the message is rejected by a spam filter. Check your spam, junk, or deleted items folder for the email. |
Also, make sure the user checks the correct email account as registered with SSPR.
|I've set a password reset policy, but when an admin account uses password reset, that policy isn't applied.||Microsoft manages and controls the administrator password reset policy to ensure the highest level of security.|
|The user is prevented from attempting a password reset too many times in a day.||An automatic throttling mechanism is used to block users from attempting to reset their passwords too many times in a short period of time. Throttling occurs the following scenarios: |
|The user sees an error when validating their phone number.||This error occurs when the phone number entered doesn't match the phone number on file. Make sure the user is entering the complete phone number, including the area and country code, when they attempt to use a phone-based method for password reset.|
|The user sees an error when using their email address.||If the UPN differs from the primary ProxyAddress/SMTPAddress of the user, the Sign-in to Azure AD with email as an alternate login ID setting must be enabled for the tenant.|
|There's an error processing the request.||Generic SSPR registration errors can be caused by many issues, but generally this error is caused by either a service outage or a configuration issue. If you continue to see this generic error when you re-try the SSPR registration process, contact Microsoft support for additional assistance.|
|On-premises policy violation||The password doesn't meet the on-premises Active Directory password policy. The user must define a password that meets the complexity or strength requirements.|
|Password doesn't comply with fuzzy policy||The password that was used appears in the banned password list and can't be used. The user must define a password that meets or exceeds the banned password list policy.|
SSPR errors that a user might see
The following errors and technical details may be shown to a user as part of the SSPR process. Often, the error isn't something they can resolve themselves, as the SSPR feature needs to enabled, configured, or registered for their account.
Use the following information to understand the problem and what needs to be corrected on the Azure AD tenant or individual user account.
|TenantSSPRFlagDisabled = 9||We're sorry, you can't reset your password at this time because your administrator has disabled password reset for your organization. There is no further action you can take to resolve this situation. Please contact your admin and ask them to enable this feature.|
To learn more, see Help, I forgot my Azure AD password.
|SSPR_0009: We've detected that password reset has not been enabled by your administrator. Please contact your admin and ask them to enable password reset for your organization.|
|WritebackNotEnabled = 10||We're sorry, you can't reset your password at this time because your administrator has not enabled a necessary service for your organization. There is no further action you can take to resolve this situation. Please contact your admin and ask them to check your organization's configuration.|
To learn more about this necessary service, see Configuring password writeback.
|SSPR_0010: We've detected that password writeback has not been enabled. Please contact your admin and ask them to enable password writeback.|
|SsprNotEnabledInUserPolicy = 11||We're sorry, you can't reset your password at this time because your administrator has not configured password reset for your organization. There is no further action you can take to resolve this situation. Contact your admin and ask them to configure password reset.|
To learn more about password reset configuration, see Quickstart: Azure AD self-service password reset.
|SSPR_0011: Your organization has not defined a password reset policy. Please contact your admin and ask them to define a password reset policy.|
|UserNotLicensed = 12||We're sorry, you can't reset your password at this time because required licenses are missing from your organization. There is no further action you can take to resolve this situation. Please contact your admin and ask them to check your license assignment.|
To learn more about licensing, see Licensing requirements for Azure AD self-service password reset.
|SSPR_0012: Your organization does not have the required licenses necessary to perform password reset. Please contact your admin and ask them to review the license assignments.|
|UserNotMemberOfScopedAccessGroup = 13||We're sorry, you can't reset your password at this time because your administrator has not configured your account to use password reset. There is no further action you can take to resolve this situation. Please contact your admin and ask them to configure your account for password reset.|
To learn more about account configuration for password reset, see Roll out password reset for users.
|SSPR_0013: You are not a member of a group enabled for password reset. Contact your admin and request to be added to the group.|
|UserNotProperlyConfigured = 14||We're sorry, you can't reset your password at this time because necessary information is missing from your account. There is no further action you can take to resolve this situation. Please contact you admin and ask them to reset your password for you. After you have access to your account again, you need to register the necessary information.|
To register information, follow the steps in the Register for self-service password reset article.
|SSPR_0014: Additional security info is needed to reset your password. To proceed, contact your admin and ask them to reset your password. After you have access to your account, you can register additional security info at https://aka.ms/ssprsetup. Your admin can add additional security info to your account by following the steps in Set and read authentication data for password reset.|
|OnPremisesAdminActionRequired = 29||We're sorry, we can't reset your password at this time because of a problem with your organization's password reset configuration. There is no further action you can take to resolve this situation. Please contact your admin and ask them to investigate. |
We cannot reset your password at this time because of a problem with your organization's password reset configuration. There is no further action you can take to resolve this issue. Please contact your admin and ask them to investigate.
To learn more about the potential problem, see Troubleshoot password writeback.
|SSPR_0029: We are unable to reset your password due to an error in your on-premises configuration. Please contact your admin and ask them to investigate.|
|OnPremisesConnectivityError = 30||We're sorry, we can't reset your password at this time because of connectivity issues to your organization. There is no action to take right now, but the problem might be resolved if you try again later. If the problem persists, please contact your admin and ask them to investigate.|
To learn more about connectivity issues, see Troubleshoot password writeback connectivity.
|SSPR_0030: We can't reset your password due to a poor connection with your on-premises environment. Contact your admin and ask them to investigate.|
Azure AD forums
If you have general questions about Azure AD and self-service password reset, you can ask the community for assistance on the . Members of the community include engineers, product managers, MVPs, and fellow IT professionals.
If you can't find the answer to a problem, our support teams are always available to assist you further.
To properly assist you, we ask that you provide as much detail as possible when opening a case. These details include the following:
- General description of the error: What is the error? What was the behavior that was noticed? How can we reproduce the error? Provide as much detail as possible.
- Page: What page were you on when you noticed the error? Include the URL if you're able to and a screenshot of the page.
- Support code: What was the support code that was generated when the user saw the error?
To find this code, reproduce the error, then select the Support code link at the bottom of the screen and send the support engineer the GUID that results.
If you're on a page without a support code at the bottom, select F12 and search for the SID and CID and send those two results to the support engineer.
- Date, time, and time zone: Include the precise date and time with the time zone that the error occurred.
- User ID: Who was the user who saw the error? An example is email@example.com.
- Is this a federated user?
- Is this a pass-through authentication user?
- Is this a password-hash-synchronized user?
- Is this a cloud-only user?
- Licensing: Does the user have an Azure AD license assigned?
- Application event log: If you're using password writeback and the error is in your on-premises infrastructure, include a zipped copy of your application event log from the Azure AD Connect server.
To learn more about SSPR, see How it works: Azure AD self-service password reset or How does self-service password reset writeback work in Azure AD?.
Azure Active Directory (Azure AD) self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. If a user's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work.How do I reset my Microsoft self service password? ›
Sign in to your Office 365 account, using your existing password. Select your profile on the upper-right side, and then select View account. Select Security & privacy > Password. Type your old password, create and confirm your new password, and then select Submit.Which self service password reset option can force users to configure the answer to security questions? ›
Instead, security questions can be used during the self-service password reset (SSPR) process to confirm who you are. Administrator accounts can't use security questions as verification method with SSPR. When users register for SSPR, they're prompted to choose the authentication methods to use.Does self-service password reset require MFA? ›
Self-Service Password Reset (SSPR) allows you to reset your Microsoft 365 account password yourself by confirming your identity with the MFA method. This avoids a call to the service desk to reset your password. To register for MFA and Self-Service Password Resets, follow the steps below.What is a prerequisite option for self-service password reset in AD connect? ›
- A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled. ...
- An account with Hybrid Identity Administrator.
- Azure AD configured for self-service password reset. ...
- An existing on-premises AD DS environment configured with a current version of Azure AD Connect.
We recommend that organizations use the combined registration experience for Azure AD Multi-Factor Authentication and self-service password reset (SSPR). SSPR allows users to reset their password in a secure way using the same methods they use for Azure AD Multi-Factor Authentication.Is self-service password reset a security issue? ›
Both manual and automated self-service password resets can put systems at risk, since they are highly vulnerable to social engineering attacks.How long does password writeback take to work 5 seconds? ›
Password writeback allows users to get real-time feedback about the success of their password reset or change operation. The average time for a successful writeback of a password is under 500 ms.Why am I being asked to reset my Microsoft password? ›
This is a security feature of all Microsoft accounts which cannot be turned off. If the option for 72 days password expiration is enabled in your account then it will automatically ask you to reset password.How do I unlock my self account? ›
Log in to Admin Portal, click Access > Policies tab, and select the policy set. Click User Security Policies > Self Service. Select Yes in the Enable account self service controls drop-down. Enable the Account Unlock option.
- Provide a meaningful name to explain what the setting is doing, such as Add SSPR link.
- Optionally provide a meaningful description of the setting.
Administrators are always enabled for self-service password reset and are required to use two authentication methods to reset their password. If registration is required, unregistered users are prompted to register their own authentication information when they sign in for the first time.Which of the following are valid ways to reset a user's password on a stand alone Windows 10 computer? ›
- Press Windows key + R.
- Type: control userpasswords2.
- Hit Enter key on your keyboard.
- Select the account, then click Reset password.
- Enter the new password and confirm it, then click OK.
When a user loses a password, they can click the forgot password link on the login page to receive an email with steps to reset it. The user must answer the security question correctly to reset the password.Is there a way to bypass MFA? ›
Another social engineering technique that is becoming popular is known as “consent phishing”. This is where hackers present what looks like a legitimate OAuth login page to the user. The hacker will request the level of access they need, and if access is granted, they can bypass MFA verification.Do you need MFA If you have SSO? ›
No. If MFA is enabled for your SSO identity provider, you don't need to enable Salesforce's MFA for users who log in via SSO. But if you have admins or other privileged users who log in to your Salesforce products directly, you do need to set up Salesforce's MFA for these users.How do attackers bypass MFA? ›
MFA bypass via proxy attacks
In a proxy attack, the phishing site sits between the user and the target website. The phishing site passes relevant web pages and data, including passwords and multifactor authentication, back and forth between the user and the target site.
Authentication Methods in Azure
For SSPR, the following authentication mechanisms are available: Mobile app notification. Mobile app code. Email.
- From the main login page, click Login with SLS.
- Click Forgot Password.
- Enter your SLS Username.
- Click Submit.
- Select Receiving a password reset link in my email.
- Click Submit.
- An email with the password reset link will be sent to your email address.
- Click the reset password link in the email.
To create an SPN, you can use the SetSPN command line utility. For more information, see: SetSPN. Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe)
Most self-service flaws relate to three failure points: External search, site navigation and self-service capabilities. Identifying and addressing these gaps will encourage more customers to opt for self-service or keep them there.Is password reset a service request or incident? ›
The best practice, in adherence with ITIL standards, would be to consider a password reset a request and not an incident as an incident is defined as "an unplanned interruption to an IT service or reduction in the quality of an IT service".What do you do if a customer needs to reset their password and has access to their phone number and email address Turbotax? ›
- Go to the account recovery page.
- Enter one of the following: Phone number (recommended) Email address. User ID.
- Follow the instructions. We'll customize them based on the info you provide and whether we recognize the device.
Basic SSPR features are available in Microsoft 365 Business Standard or higher and all Azure AD Premium SKUs at no cost.What is password lockout duration? ›
Account lockout duration—This is the amount of time the account will remain locked out. This is commonly set to 20 or 30 min. An administrator can manually unlock the account at any time after it has been locked.How long does it take a hacker to crack an 8 digit password? ›
The findings suggest that even an eight-character password — with a healthy mix of numbers, uppercase letters, lowercase letters and symbols — can be cracked within eight hours by the average hacker.How long does it take a hacker to guess your password? ›
It found if you're using numbers only in your password, it would take hackers no more than three minutes if you have 14 or fewer characters. Even using up to 18 characters would take hackers no more than three weeks to hack your account.Why is Microsoft not accepting my password? ›
If you recently change your Microsoft Account password in the web browser but now Windows 10 won't accept your Microsoft account password, make sure your computer is connected to the internet. This will allow your PC 'to' register the new password, and you'll be able to log in to your PC again.How many attempts unlock Microsoft account? ›
Windows security baselines recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack. Using this type of policy must be accompanied by a process to unlock locked accounts.Why does my Microsoft account keep getting locked for no reason? ›
To help protect your account from fraud or abuse, Microsoft temporarily locks accounts when unusual activity is noticed. To unlock your account, sign in to your Microsoft account and follow the instructions to get a security code.
In the admin center, go to the Settings > Org settings page. At the top of the Org settings page, select the Security & Privacy tab. Select Self-service Password Reset. Under Self-service password reset, select Go to the Azure portal to turn on self-service password reset.What is set up self-service password reset? ›
Self Service Password reset allows end-users to reset passwords without the intervention of an administrator. You can use the self-service password reset tool so you don't have to contact your administrator to reset your password.How does Azure AD self-service password reset work? ›
Azure Active Directory (Azure AD) self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. If a user's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work.How do I reset my Azure Active Directory password? ›
- Sign in to the Azure portal as a user administrator, or password administrator. ...
- Select Azure Active Directory, select Users, search for and select the user that needs the reset, and then select Reset Password. ...
- In the Reset password page, select Reset password.
In the pop-up dialog, select Connect to Active Directory Forest: Enter the new password of the AD DS connector account in the Password textbox. Click OK to save the new password and close the pop-up dialog. Restart the Microsoft Azure AD Sync service under Windows Service Control Manager.How do I find my Azure username and password? ›
Log in to the Microsoft Azure management console. Click the “Virtual machines” icon in the toolbar and select your server from the resulting list. In the “Support + Troubleshooting” menu, select the “Boot diagnostics” option. Review the system log until you find the administrator username and password.How do I find my Azure service principal ID and password? ›
- Log in to the Azure portal.
- Type in 'Azure Active Directory' in the search bar. ...
- Select 'Enterprise applications' under Manage on the left navigation bar.
- Select the enterprise application. ...
- Under 'Properties' you'll find the object ID.
To change the Azure AD Password Protection settings we will need to open the Azure AD portal: Go to portal.azure.com. Open the Azure Active Directory. Click on Security > Authentication Methods >Password Protection.How do I unlock my aad account? ›
If a users gets locked out of their account in Azure AD Domain services there is no way to unlock it. The user has to wait for 30 minutes.How do I recover my connect password? ›
Connect - Reset your password
- Open this page.
- Enter the email address associated with your Connect account.
- Click Submit.
SSPR allows users to reset their password in a secure way using the same methods they use for Azure AD Multi-Factor Authentication.How do you troubleshoot Intune issues? ›
- Sign in to Microsoft Endpoint Manager admin center.
- Select Troubleshooting + support > Troubleshoot.
- Find and select a User by entering a display name or email.
- If the user has multiple devices, filter by Device.
- Review the provided information to help troubleshoot end-user issues.
The notification is displayed if a work profile password is required and set. After their passcode is entered, the notification is dismissed. After the reset passcode is selected from the admin center, a temporary passcode is presented to the admin.What is my Azure Active Directory username? ›
If you're using Microsoft Azure AD, then your username is most likely your email address.What is Azure AD password SSO? ›
Password based Single Sign-On (SSO) uses the existing authentication process for the application. When you enable password-based SSO, Azure Active Directory (Azure AD) collects, encrypts, and securely stores user credentials in the directory.How do I check my AZ login? ›
To retrieve the certificate for az login , see Retrieve certificate from Key Vault. If you want to avoid displaying your password on console and are using az login interactively, use the read -s command under bash . Under PowerShell, use the Get-Credential cmdlet.Where can I find service principal key? ›
- Select Azure Active Directory and then select Enterprise applications.
- Under Application Type, choose All Applications and then select Apply.
- In the search filter box, type the name of the Azure resource that has managed identities enabled or choose it from the list.
The output for a service principal with password authentication includes the password key. Make sure you copy this value - it can't be retrieved. If you lose the password, reset the service principal credentials.What is service principal key? ›
An Azure service principal (a special user) is an identity created for use with applications, hosted services, and automated tools to access Azure resources. This access key is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level.